PCI DSS Compliance – you need to take this seriously
What is the PCI DSS?
The PCI DSS (Payment Card Industry Data Security Standard) is an information security standard designed to increase controls around cardholder data to reduce payment card fraud.It is administered by the PCI SSC (Payment Card Industry Security Standards Council).
Who needs to comply with the PCI DSS?
The PCI DSS applies to any organisation (regardless of size or number of transactions) that accepts, stores, transmits or processes cardholder data.
If you are a merchant, the PCI DSS applies to you. Even if you have subcontracted all PCI DSS activities to a third party, you are still responsible for ensuring all contracted parties comply with the Standard.
If you are a service provider, including a software developer, the PCI DSS applies to you if you process, transmit or store cardholder data, or your activities affect the security of the cardholder data as it is being processed, transmitted or stored.
Why is PCI DSS compliance important?
Payment security is important for every merchant, financial institution or other organisation that stores, processes or transmits cardholder data.
According to UK Finance’s Fraud the Facts 2019 report, unauthorised financial fraud losses amounted to £844.8 million in 2018, an increase of 16% compared to 2017.
The cardholder data that you store can be stolen from many places, including:
• Compromised card readers;
• Filed paper records;
• Cardholder data stored in databases;
• Rogue access to your organisation’s wireless or wired network; and
• Concealed cameras recording the entry of authentication data.
If implemented correctly, the PCI DSS can help organisations secure cardholder data. It provides a baseline set of security requirements that lets organisations know what action they should take.
A key benefit of the Standard is the detailed action plan it provides – this can be applied to organisations of any size or type that use any method of processing or storing payment card data.
Penalties for non-compliance with the PCI DSS
The breach or theft of cardholder data affects consumer confidence that results in the loss of business. Any merchant that breaches the PCI DSS could face serious consequences, including fines, litigation and reputational damage. The implications can be far-reaching and include:
• Fraud losses;
• Loss of customer confidence;
• Diminished sales;
• Cost of reissuing new payment cards;
• Higher subsequent costs of compliance;
• Legal costs, settlements and judgements;
• Fines and penalties;
• Termination of ability to accept payment cards; and
• Lost jobs.
Payment data – a target for attack
Payment card data is the prime target in attacks against commercial environments.
The 2019 Trustwave Global Security Report identified that threat actors targeted payment card data in most incidents, with card-not-present (CNP) data making up nearly 25% of events, and card-track (magnetic stripe) data comprising 11%.
Criminal hackers want your cardholder data. By obtaining the PAN (primary account number) and sensitive authentication data, an attacker can impersonate the cardholder, use the card, and steal the cardholder’s identity.
There are a number of steps you should take in order to be compliant. Electric Spider’s specialists will guide you through the process. Get in touch now using our Contact details now.